← back
CVE-2009-1151

CVE-2009-1151

CVSS 9.8 CRITICALEPSS 95.4%● KEVCWE-94
In short

phpMyAdmin allows attackers to inject malicious PHP code into configuration files through the setup interface. This can give attackers complete control over the database server and all its data.

Technical detail

Remote code injection vulnerability in setup.php (CWE-94) affecting phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1. The save action fails to properly validate or sanitize input, allowing unauthenticated attackers to execute arbitrary PHP code via configuration file manipulation, resulting in complete system compromise.

Summary generated and translated by AI from the official description.
Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found6
githubgithub.com/pagvac/pocs6githubgithub.com/e-Thug/PhpMyAdmin1githubgithub.com/tpdlshdmlrkfmcla/ZmEu0cve_referencewww.exploit-db.com/exploits/8921unverifiedexploitdbwww.exploit-db.com/exploits/8992unverifiedexploitdbwww.exploit-db.com/exploits/16913unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.htmlhttp://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_2_11_9/phpMyAdmin/scripts/setup.php?r1=11514&r2=12301&pathrev=12301http://secunia.com/advisories/34430http://secunia.com/advisories/34642http://secunia.com/advisories/35585http://secunia.com/advisories/35635http://security.gentoo.org/glsa/glsa-200906-03.xmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-1151https://www.exploit-db.com/exploits/8921http://www.debian.org/security/2009/dsa-1824http://www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/